Publication
The Domain Name Service (DNS) is ubiquitous in today’s Internet infrastructure. Almost every connection to an Internet service is preceded by a DNS lookup. A vast majority of DNS queries are sent in plaintext. Thus, they reveal information about the connection’s destination [1]. In the Web, this lack of encryption leaks information about the browsing history of users, undermining the encryption of connections that follow the DNS resolution such as HTTPS. In order to resolve a domain name to an IP, clients send a DNS query to a recursive resolver – a server with caching capabilities that implements the DNS resolution protocol. Then, the recursive resolver contacts a number of authoritative name servers, whose main function is to hold the distributed database of domain names. The recursive resolver traverses the hierarchy of authoritative name servers in a recursive fashion until it obtains the answer for the query and sends it back to the client. Recursive resolvers aggregate traffic from multiple clients and there is a one-to-many relationship between the recursive and authoritative servers. Hence, the privacy risk in the recursive-authoritative link is low. However, DNS traffic between the client and the recursive resolver is linked to a specific origin IP and it is exposed to a number of entities, e.g., infrastructure providers such as ISPs and ASes. The main approach to prevent leakage of information is to encrypt the communication until, at least, the recursive resolver. Two major protocols that intend to do so are DNSover-TLS 1 and DNS-over-HTTPS . These protocols use a TLS session between the client and the recursive resolver to exchange DNS data. In DNS-over-HTTPS (DoH), DNS traffic is exchanged via an HTTPS connection. In this work, we evaluate the effectiveness of TLS-based solutions for DNS privacy. We focus on DoH because Google and Cloudflare have recently launched DoH services to alleviate the privacy risks associated with DNS. Since HTTPS is essentially HTTP over TLS, we expect our analysis to also apply to DNS-over-TLS solutions. Our goal is to determine whether it is possible to fingerprint and identify webpages from encrypted DNS traffic. We aim to identify specific webpages beyond the IP address in.